...
Relevant documentation
Mitre T1566 - Phishing may be used to trick a user into performing an action they would not have done otherwise such as running a script or sharing a password.
Mitre T1091 - Malware may replicate itself onto removable media so that the next machine to connect it may execute via autorun or driver vulnerabilities.
Mitre T1204 - User execution, often gained via phishing, is the simplest way malware to begin execution.
Mitre T1547 - Malware may instruct Windows to execute malicious programs on boot or when a user logs in.
Mitre T1037 - Malware may instruct Windows to execute malicious scripts on boot or when a user logs in.
Mitre T1543 - Creating or modifying a system process can disguise malicious code as a normal, trusted system process from malware detection.